drm/i915/gvt/kvmgt: check returned slot for gfn
authorJike Song <jike.song@intel.com>
Fri, 16 Dec 2016 02:51:05 +0000 (10:51 +0800)
committerZhenyu Wang <zhenyuw@linux.intel.com>
Mon, 26 Dec 2016 01:45:29 +0000 (09:45 +0800)
gfn_to_memslot() may return NULL if the gfn is mmio
or invalid. A malicious user might input a bad gfn
to panic the host if we don't check it.

Signed-off-by: Jike Song <jike.song@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
drivers/gpu/drm/i915/gvt/kvmgt.c

index 4ba196796846d0b7ba990ac5364ad9e5bca3ed48..8b3b071a535e2fc03d95695b5c562ca6ec549322 100644 (file)
@@ -1137,6 +1137,10 @@ static int kvmgt_write_protect_add(unsigned long handle, u64 gfn)
 
        idx = srcu_read_lock(&kvm->srcu);
        slot = gfn_to_memslot(kvm, gfn);
+       if (!slot) {
+               srcu_read_unlock(&kvm->srcu, idx);
+               return -EINVAL;
+       }
 
        spin_lock(&kvm->mmu_lock);
 
@@ -1167,6 +1171,10 @@ static int kvmgt_write_protect_remove(unsigned long handle, u64 gfn)
 
        idx = srcu_read_lock(&kvm->srcu);
        slot = gfn_to_memslot(kvm, gfn);
+       if (!slot) {
+               srcu_read_unlock(&kvm->srcu, idx);
+               return -EINVAL;
+       }
 
        spin_lock(&kvm->mmu_lock);